Transparent Proxy: invisible filtering
Introduction

There are advantages and disadvantages to having a transparent proxy.  Your school will need to decide what suits your environment best.

Advantages:
  • no need to define proxy details on individual devices - the gateway device manages filtering
  • suits some devices and applications that cannot support proxies
Disadvantages:
  • one-size fits all filtering unless you use Group ACLs based on IP addresses
  • no monitoring of individual use
  • https filtering is harder to work with

As a very general rule in a school environment a transparent proxy is best suited to primary environment and an authenticating proxy is best suited to a secondary environment.

pfSense allows the proxy server to be configured as a transparent proxy yet still reap the benefits of using blacklists, target categories and time based rules.

It is assumed that the relevant packages have been installed using the "System", "Packages" menu.  Instructions are here.  There are issues with https filtering using this configuration.

The pfSense box has to be the gateway device on your LAN.


squid and https filtering

The very nature of https makes filtering it difficult - it was designed to be secure so that intermediary systems can not see the detail of the traffic being passed.  There are various approaches like "man in the middle" but sometimes these can be more problematic as you need to delve into the murky world of certificates.  You could choose options like WPAD (http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid) or you could simply block all direct outbound traffic on port 443  and force users to enter https proxy server details if they need access to a secure site.  Another option is simply not to bother filtering https traffic but then you run the risk of users simply trying the https version of a site eg https://www.facebook.com.

A simple option is to block all outbound port 443 access except for explicitly permitted sites using a LAN firewall rule with an alias - the alias will define the allowed outbound  destinations on port 443.  Use this in tandem with a second rule that then blocks all other port 443 access.

Feel free to send email to pfsense@mtaspiring.school.nz with practical solutions that would be easily implemented by schools.  Solutions will be added to this page.


pfSense - Configure Squid as a Transparent Proxy

To make squid act as a transparent proxy using pfSense takes a single "tick" on the "General" tab  - use the "Services", "Proxy server" menu.



In the example above put a tick where the red oval is.  At Mt Aspiring we have not ticked this as we want to run an authenticating proxy as we need different filtering rules for different people and we want to monitor what individuals do.